All web-exposed features on Firefox must be served on HTTPS/TLS from now on
HTTPS is not just for websites, despite the fact that this is a common misconception. Granted, securing the connection between a website and a browser is the main job of HTTPS. But, there are certain ‘features’ that we use on websites that enhance our experience. These features include familiar names such as HTTP/2, Geolocation, Payment Request API, etc.

Until now, some of these features needed to be Secure Contexts (HTTPS-only). From now on, this is going to change. “Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” Anne van Kesteren wrote on the Mozilla blog yesterday.

Further explaining the “web-exposed” features falling under the umbrella of secure contexts he writes,

“Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR. In contrast, a new CSS color keyword would likely not be restricted to secure contexts.”

What are Secure Contexts?
As a result of a continuous push to encrypt the internet, we’re witnessing a remarkable migration to HTTPS. Undoubtedly, it’s a good thing. However, just a Green Padlock isn’t enough. Encrypting entire contexts is highly desirable, and that’s what ‘secure contexts’ is intended for.

Mozilla defines it as a Window or Worker for which:

“…there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are not secure is limited.”

Let’s make this clearer with an example. Suppose you have a website named https://example.com and you have managed to orchestrate an awesome report highlighting the difference between a cat person and a dog person. But this document opens up in a new window that isn’t TLS delivered (without specifying noopener). This website is considered to be an ‘insecure context.’

To put it simply, all the pages – including the parent and opener pages – must be delivered securely to be termed as ‘secure contexts.’

Why Secure Contexts?
Modern-day websites aren’t just meant for web-surfing purposes—they do much more than that. Whether it’s facilitating communication through a microphone, deriving a user’s location (with permission of course), or detecting the motion of a device—these features are becoming a common thing as far as websites are concerned.

These features utilize sensitive data and thus pose a significant risk as far the privacy and credibility of data are concerned. If data is not secured through HTTPS, a hacker/attacker could eavesdrop or tamper with the data using a ‘man-in-the-middle’ attack.

Google announced these same changes to its browser, Chrome, in July of last year.

Current List of Secure Contexts-only Features in Major Browsers
For your reference, here’s a list of features restricted to secure context:

This is going to come back and bite them in the ass, IF they actually go through with this. ALL content served via ssl? What utter horse crap.

Yes, it's easy in today's world to setup AutoSSL, but not everyone needs, or wants this, and not everyone should need or want this!

Let's forget how 'easy' it is to setup Autossl though, and focus on the sheer numbers of individuals who'd get caught in the horror here. Believe it or not there's bound to be millions STILL using XP , which cannot support SNI at all. So, those people are basically SOL when it comes to Firefox.

This is going to come back and bite them in the ass, IF they actually go through with this. ALL content served via ssl? What utter horse crap.

Yes, it's easy in today's world to setup AutoSSL, but not everyone needs, or wants this, and not everyone should need or want this!

Let's forget how 'easy' it is to setup Autossl though, and focus on the sheer numbers of individuals who'd get caught in the horror here. Believe it or not there's bound to be millions STILL using XP , which cannot support SNI at all. So, those people are basically SOL when it comes to Firefox.

Talk about ridiculousness

Google doing the same on chrome and i hear MS going to do it on edge as the secret club CA/B forum wants this.

This is the main reason cPanel set up AutoSSL so that all accounts using cpanel can have ssl as standard

This is going to come back and bite them in the ass, IF they actually go through with this. ALL content served via ssl? What utter horse crap.

Yes, it's easy in today's world to setup AutoSSL, but not everyone needs, or wants this, and not everyone should need or want this!

Let's forget how 'easy' it is to setup Autossl though, and focus on the sheer numbers of individuals who'd get caught in the horror here. Believe it or not there's bound to be millions STILL using XP , which cannot support SNI at all. So, those people are basically SOL when it comes to Firefox.

Talk about ridiculousness

That what they get for using their Grandfather's Duo 2 Core PCs hahaha. But seriously they are probably full of viruses by now anyways so replacing it or failing that just wiping it clean is the way to go.

It really isn't as simple as 'upgrade' or 'wipe it clean'. There are companies with software that literally don't run on anything but XP. The devs of said software don't exist any more, so you can't really just say "hey, upgrade". Hell, a $multi-million , multinational company does this just here in Iowa. John Deere, perhaps you've heard of them?

It's never as simple as "just upgrade" or "just reload". In the case of JD, they've got systems that cost more in maintenance fees than they do to upgrade (as in hardware), and they're just a hardware problem or two away from total combustion. However, the budget is not there for an upgrade the size you're talking about.

It really isn't as simple as 'upgrade' or 'wipe it clean'. There are companies with software that literally don't run on anything but XP. The devs of said software don't exist any more, so you can't really just say "hey, upgrade". Hell, a $multi-million , multinational company does this just here in Iowa. John Deere, perhaps you've heard of them?

It's never as simple as "just upgrade" or "just reload". In the case of JD, they've got systems that cost more in maintenance fees than they do to upgrade (as in hardware), and they're just a hardware problem or two away from total combustion. However, the budget is not there for an upgrade the size you're talking about.

Corporate businesses are indeed known to be like that where it takes forever to get budgets for such. However you either gotta pick it up or be lost in the "race".

Because even if your a "big player" it won't be long for a more IT competent business to gladly eat them whole otherwise.

recent case in the UK.
The NHS was hit by the WannaCry Ransomware last year as they were using Windows XP and the UK Gov. had decided not to continue to pay Microsoft for security updates.
If you are running a business then you should make sure your IT infrastructure is upto date.
If you are using software/modules that are outdated and dev. no longer exist then it is time you change this

recent case in the UK.
The NHS was hit by the WannaCry Ransomware last year as they were using Windows XP and the UK Gov. had decided not to continue to pay Microsoft for security updates.
If you are running a business then you should make sure your IT infrastructure is upto date.
If you are using software/modules that are outdated and dev. no longer exist then it is time you change this

Exactly, either change your software or update it. You don't? Then either security or the market will make you suffer in the long run.